Christmas Comes Early for Identity Thieves

MySpace and Google are teaming up (again) in the battle for the web.  Both services run login systems  which aim to simplify the login process for users across multiple sites.  Essentially it means one username and password gets you into all the associated partner sites.

The idea is not new.  A Google ID already gives you access to multiple services. So does a Live ID from Microsoft.  And don’t forget every app you use on Facebook is accessing your details (and your friends’ details) all under your single Facebook login.

Even the open source crowd are in on the act. OpenID is used across a number of sites as a kind of escrow authenticator.

People find it difficult to remember multiple passwords yet passwords remain the most convenient and widely used authentication system on the web.  Provided a password is difficult to guess and is protected by good encryption when it is stored or transmitted it is still a pretty good means of authentication.  And so as long as every site you use a common login ID with follows the correct protocols, every computer you use to visit those sites is secure, and you don’t tell anyone else your password then there isn’t a significant issue.

But as I was reading the article something was nagging in the back of my mind, and it was this. It’s not the risk of the password being compromised that is the problem.  The issue for individuals is that they will be using a common username across many sites.  The username, or some minor deviation from it will in many cases be public because it will appear next to their comments, blog posts, profiles etc. 

It has always been possible to build a profile of a person using information from multiple websites.  You can even pay money to have this done for you.  But there has been a certain hit and miss element to this, even if you focus on usernames rather than actual names.  Two people can share the same username on different sites.

But with a single sign on service, if I know your username I have an assurance that any information which has been posted under that username on any website that uses that service pertains to you. I can therefore build a much more reliable profile of you – and therefore make more money when I sell it!

I’m sure the websites know this, and I’m sure the bad guys know it, but do the general public who will be the losers when things go wrong?

Contextual Malware in Context

A recent report from MessageLabs (‘Now part of Symantec’ – in case you missed it) outlines that organisation’s predictions for the threat landscape in 2009.

Once you stumble through the Malware Makes It’s “Mash-up” parargraph (which I had to read three times before it made sense) it makes for thought provoking reading.  MessageLabs predicts that next year the bad guys are going to use personalised web based accounts such as webmail or social networking profiles to send concise and more believable messages to targeted users. The messages will draw users into the scams slowly over a number of contacts rather than reveal themselves at the outset.

Users will also be targetted via their mobile phones, weaving an ever more elaborate and believable trap containing the victim’s online accounts, friends and their mobile services. And the initial attack vector could be a sophisticated and almost undetectable piece of malware hidden within a virtual machine running on their own computer, or for that matter any other machine into which they enter any personally identifiable information.

The guts of the article is that the criminals are getting cleverer, perhaps realising that the general public is also becoming wiser to the old scamming techniques. After all, who really ever falls for the old Nigerian scam? One answer to that question is here, but increasingly the crims are going to rely on the trust we have within our existing online networks. Users of the big three, Facebook, MySpace and Bebo are learning this the hard way.  Take a look at the comments on just about any Bebo account and you’ll see posts from users of the Bebo mobile service (identified by the logo next to the comment).  Some are obviously phishing attempts but others are not so obvious.

What red-blooded teen user of Bebo wouldn't respond to this?

These messages are targetting the ‘MyFaceBo’ demographic.  The language is there, lack of correct grammar and all, the content is about right, and the message is coming in using a mobile which surely a scammer wouldn’t bother with, would they?

As we operate more and more in interconnected spaces we are all going to have to be more careful about who and what we trust, and as usual the youth market is experiencing the cutting edge of technological change.

2009 is looking like it is going to be an interesting year. Perhaps it will be the year security awareness training comes of age?